A Korean malware analysis attributes a malicious HWP document named “250615_Grain Sales Office Operations Status.hwp” to APT37/Reaper and describes it as RokRAT-themed activity. The lure content concerns grain sales and distribution in Pyongyang, indicating likely targeting of people working on North Korea-related issues or research. The document embeds a Proton Drive hyperlink and OLE objects that drop ShellRunas.exe and credui.dll into the TEMP directory when the relevant page is accessed. Infection depends on the user approving the ShellRunas.exe execution prompt, and the write-up also records a Dropbox-hosted Father.jpg URL that could not be further analyzed because the files were no longer downloadable.